Forum Discussion
need to see source IP when using SNAT for ssh connections
Hello, is there any way to pass along the source IP address to a load balanced ssh server when you need to use SNAT ?
- keithhubb
Employee
Unfortunately, there is not a way to send the client IP when using SNAT. I did find another DevCentral post that describes a work around.
 
How to pass client IP to member for ssh/sftp VIP
 
- Kevin_Davies
Nacreous
If you add this iRule to your SSH virtual server...
when LB_SELECTED { log local0.info [LB::server addr] "Client [IP::client_addr] connected to [LB::server addr]" }
Then on your SSH servers allow incoming syslog from the F5 and update your syslog configuration file /etc/syslogd.conf by adding the following line. This will send incoming logs from the iRule to the same log file that logs SSH authentication in Ubuntu at least. The actual file will vary depending on OS.
local0.info /var/log/auth.log
So everytime someone uses SSH to your virtual server they will get two log entries in auth.log on the linux system. One with the connection details showing the original IP address and another showing the login from the local SSH daemon.
- Tom_K
Nimbostratus
In this other post that you referred to - it suggests turning off automap and using the self ip address as the default gateway in the ssh server. My question is I have lots of self ip's and floating ip's, how do I choose which one to use if the original source IP address in not in any of the f5 self ip / floating IP networks ?
- Kevin_Davies
Nacreous
Your server must be in a network attached to the BIG-IP. Then its the floating IP of the egress network when the traffic leaves the F5 on its way to your server.
For example if your server was in the 172.31.10.0 network and the F5 had addresses of 172.31.10.5 (traffic-group-local-only) and 172.31.10.6 (traffic-group-1) then you would use 172.31.10.6 as the default route for your SSH server.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com